I want to let some of my friends access my computer by making them user accounts. They will mostly access my computer by sftp and ssh, but they could also sometimes access it at my home. However I don't want them to be able to see all my file (not my personal files from my home directory, I mean files that reside outside of the user directory, like etc, lib...)

And the awnser that was given to me was that if I chroot the user, I will need to create a complete environment for every user.

Is there a way to actually prevent users from going outside of their home directory and preventing them from an passing argument to a program like cp that would point outside of their home directory, or any way to actually keep my system private? What is the best solution? I want them to be able to fully use all my programs, but unable to copy or read files, or use programs to read or copy file outside of their home directory.

You are trying to do two mutually exclusive things. You can't give people "full access" while locking them down at the same time.
–
CodeGnomeApr 22 '12 at 1:59

It's hard to grant shell access and limit it to a directory without a full-blown chroot and even that is not fool-proof. Chroot environments are intended more for development and testing than for security. If you are willing to restrict users to sftp only without any shell access, if I remember correctly, that was not only possible but much easier to do by using the internal-sftp option with ChrootDirectory in sshd_config. You'll also want to consider setting up quotas if you share the same partition with the other users so they can't fill up your free drive space.
–
jw013Apr 22 '12 at 2:45

5 Answers
5

Use standard Unix file permissions to protect your files. The advantage here is that it's really easy to set up as it's just a matter of deciding which files you want protected and setting the appropriate permissions on them. The downside is that your friend will not be able to do everything on the system as they won't have root access

Run a true Virtual Machine. Xen or Virtualbox can be run to give a fully operational server to your friend. This can be quite resource-intensive in terms of memory, CPU and disk, but it's the most separate from your files.

You have a few options that will make your home directory (or part of it) off limits.

Change your home directory to owner only access using chmod 700 ~. This will allow only you and root to access the directory.

Move your home directory to an encrypted file system. (This will prevent them from accessing it when you don't have it unencrypted. Combine with the above if they may have access while you have the file system unencrypted.)

Use a file encryption tool to prevent access to individual files.

Hide the private files in hidden directories. Use a name like .private to hide your private stuff. This is only security by obscurity. You will need to combine it with one or more of the above options to make it secure.

Remember, if you give your friends root access, they have a lot of power to bypass your security settings. (Sharing access to systems with files you don't want to share has risks.)

Agree. If OP's requirement is just that the friends can't access the OP's private files, then appropriate permissions and ownership are sufficient. chmod -R go-rwxs ~/my_private_dir would make the files in my_private_dir inaccessible to the friends. Setting umask 077 (in appropriate login script) would prevent newly created files being visible to friends.
–
Brian SwiftApr 23 '12 at 8:21

Iron Bars SHell, or short ibsh is my first attempt to create a
restricted working environment for Linux/Unix. I'm sure that many
system administrators wish or have wished for a way to lock some/all
users into a safe dungeon, where they can only do harm to their own
files.